July 11, 2014
How a Scanner Infected Corporate Systems and Stole Data: Beware Trojan Peripherals
Kurt Marko
Forbes
A new form of highly targeted cyber attack patently demonstrates the shift in malware sophistication and motivation. Annoying hacker pranks done for fun and sport have been supplanted by sophisticated, multi-stage software systems designed for espionage and profit. The new attack, discovered by TrapX, a developer of security software formerly known as CyberSense, is one of an increasingly common genre known as an Advanced Persistent Threat (APT) of the type that stole debit card numbers from Target TGT +0.02% or sensitive data and login credentials from any number of companies. What makes this recent attack noteworthy isn’t its basic design, operation or targets, but means of initial delivery: contaminated firmware on a type of industrial barcode scanner commonly used in the shipping and logistics industry. Similar to the technique used to introduce the infamous Stuxnet worm that took out Iranian centrifuges and managed to penetrate ostensibly highly secure networks via ordinary USB thumb drives, the so-called Zombie Zero worm invaded corporate data centers through a back door.
Anatomy of the Attack
Source: Wikipedia; Advanced persistent threat
According to TrapX, the malware was loaded onto the scanner’s Windows XP Embedded OS as shipped from the factory by an undisclosed Chinese manufacturer. TrapX believes the manufacturer was directly, if not solely (more on that later) responsible for the malware since: (a) later analysis found 16 of 48 scanners at one customer had recently deployed were infected and (b) TrapX detected the same malware in a firmware update file on the manufacture’s website; updates that the company initially removed after TrapX notified it of the problem, but later restored with malware intact. Carl Wright, EVP & General Manager at TrapX says three elements make this attack noteworthy and dangerous:
- it targets a zero-day vulnerability on one of the most popular ERP systems used by many enterprises
- it’s polymorphic, namely the code can adapt and change to both elude detection and avoid different network security countermeasures
- it’s the first malware he’s seen delivered on hardware fresh from the manufacturer
Once delivered, the attack itself follows a pretty standard APT playbook. The compromised scanners, which use Wi-Fi to send package information to one or more central databases, give attackers a foothold inside a company’s network. In stage 1 of the attack, the scanner malware probes the network using widely used Windows file sharing (SMB, ports 135/445) and remote administration (Radmin, port 4899) protocols looking for servers with “finance” as part of the Hostname. Although SMB is commonly blocked by corporate firewalls, remote administration ports are often left open to facilitate network-wide server management. Since many companies also use descriptors in the server name, the attack was generally successful at finding any ERP systems on the network. If the ERP server happened to be running the vulnerable software, which was likely since according to Wright it is among the top three in ERP sales, the malware entered and compromised the system through the zero-day vulnerability.
TrapX’s report describes Stage 2 of the attack this way:
[The malware uploaded] a “stand-by” weaponized payload from the scanner that established a comprehensive command and control connection (C&C) to a Chinese botnet that terminated at the Lanxiang Vocational School located in “China UnicomShandong province network”. A second payload was then downloaded from the botnet that established a more sophisticated CnC of the company’s finance server. A secondary stealth botnet CnC network (the owner of the IP address was masked) was also established and terminated at a location/facility in Beijing.
Source: TrapX Zombie Zero report
Connection to prior attacks?
Wright notes that the Lanxiang school, which was implicated in prior attacks on Google and other U.S. corporations, is nearby the scanner manufacture so it’s the attack’s likely source. The C&C network was then used to load additional software on compromised ERP systems and then copy the entire financial database.
It’s unclear how many companies have been compromised by Zombie Zero, however Wright says TrapX has already worked with 7 victims in the shipping and logistics industry and recently found variants of the attack targeting manufacturers.
ATPs used for cyber crime and espionage are nothing new, however the typical entry point is a targeted spear phishing email with a viral attachment or Web links that execute a PC client-based attack. Once establishing a toehold inside a corporate network, most ATPs use some variation of the Zombie Zero techniques: connect to a C&C botnet, establish covert external communications, scan for additional targets, map internal networks, load more sophisticated software and exfiltrate data. What makes Zombie Zero unusual is the entry point: weaponized peripherals from apparent conspirators at the manufacturer.
Hardware the new attack delivery vehicle
Of course accusations of hardware compromised with a Trojan Horse is nothing new in the ongoing Sino-American cyber propaganda war. A highly-publicized 60 Minutes report, which led to a Congressional investigation, accused the Chinese telecom giant Huawei of facilitating Chinese government spying and cyber war. On the other side, revelations from the Snowden files in a recent book claim that:
The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers.
The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.
However the TrapX report is perhaps the first demonstration of malware-laden hardware implementing an exploit that’s directly tied to prior sources of Chinese cyber attacks. Given that TrapX accidentally discovered the exploit during a pilot test of its software for a prospective customer and the fact the attack had managed to evade each victim’s existing IT security systems, it’s impossible to assess how extensive the threat actually is. However the entry method could be extended to any number of seemingly innocuous peripheral devices like Wi-Fi access points, printers, video cameras, or set top boxes.
We appear to have entered a dangerous new era in cyber crime and espionage where UL-style independent vetting of a device’s security and integrity are needed and will become the norm.
No comments:
Post a Comment